Patent Office calls itself 'not credible'

Patent Office calls itself 'not credible'

By Wilson P. Dizard III

Jun 17, 2002

The Patent and Trademark Office is vulnerable to widespread systems disasters, said the office's own 21st Century Strategic plan. The June 3 document said, 'Neither external nor external customers can trust the USPTO's automated systems' and that grave flaws in its information security and disaster recovery operations have rendered the office 'not credible' to internal and external users.

A PTO spokesman declined to comment. The distribution letter was signed by PTO director James E. Rogan, who is undersecretary of Commerce for intellectual property.

The plan said the Commerce Department's inspector general is preparing a second negative report about PTO systems. That report, with previous reports, 'attests to the fact that USPTO is not in compliance with [the Government Information Security Reform Act and] IT security has not yet become an integral part of USPTO's business operations and, therefore, fundamental responsibilities are frequently not carried out.'

The agency has named an interim IT security program manager, but the security program lacks funding, the plan said. Without new funds, it said, the agency cannot comply with security requirements for at least five years. If the agency attempts to remedy its security problems without contractor support, or using only contractor support, its lack of security compliance will continue for three years.

The plan recommended that the patent office use both government and contractor staff to implement security upgrades. Otherwise it risks financial loss, disruption, systems damage, data loss or alteration, property loss, and 'embarrassment and loss of trust and goodwill,' the plan said.

Agency systems face many intrusion attempts daily, according to the plan. 'Without proper protection, any number of these intrusions can lead to many dollars spent to recover from damage inflicted during intrusions and recovery,' patent office planners wrote. 'Destruction, loss or misuse of sensitive data/information can lead to immeasurable costs. ' Lack of protection for USPTO IT operational systems and their infrastructure is not an option at this point.'

The fact that the agency has no disaster recovery plan jeopardizes its single data center, which has 283 servers running Microsoft Windows NT, 137 Unix servers and 200T of high-speed storage subsystems linked by a network called PTONet. 'A disaster striking the single data center would have a catastrophic effect' financially and from a production standpoint, the plan said.

Revenue loss associated with the loss of the data center would amount to about $7 million per day, it said.

The agency is setting up a mirrored data storage system to duplicate its production storage on physically separate devices outside the Washington area. About 100T is stored on the mirrored system with the remaining 100T in RAID Level 2 format.

'In the event of a disaster destroying the data center, this would offer no protection,' the plan said.

The patent office does back up its data on tapes that are stored away from its main office. In the event of disaster, PTO would have to find a facility with servers, storage and communications systems, and recover from tape backups. Recovery would take about 47 months at a cost of $550 million, the planners wrote. If the agency implemented data replication at a cost of $56 million over three years, systems could be restored after a disaster within six to nine months at a cost of $70 million to $105 million.

The patent office is located within walking distance of the Pentagon and Reagan National Airport, both prime targets for terrorist attack.